If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

How is data recovered exactly?

I am not all too familiar with how computer forensic experts recover data. All I know is this:

1. The box has to be secured so no damage is done to the data

2. All the files including hidden, deleted and encrypted files are copied

My question for you guys are these:

1. Securing the data seems easy enough, but what about data that has been purposefully damaged so evidence can be hidden? Also, can prosecutors add an obstruction of justice charge if the accused was in fact trying to detroy the data? Lastly, say for instance somebody was known to use the Internet for crimes say e-mail and the like, and the accused did get rid of the data, how can prosecutors connect the two?

When trying to hide or destroy information, how does the forensic investigator recover the data from physically damaged disks? Is there always a way to recover it, or does it come to a point where it cannot be recovered? I know this much... overwriting the disk with hex values and the like may not save you because of swap space... but I could be wrong here.

2. When copying files from physically damaged disks, how is this done? Is the information copied from the damaged disk to another disk, and how are you assured all the files will be intact and defense lawyers cannot contest planting of evidence?

Data isn't "copied" per se. It's *officially*(I say officially because it's just a buzz word) called a bit stream copy. It's really just a mirror image of the original disk.

Securing the data is one of the simplest, yet most botched part of forensics. An improperly imaged disk, or modified data can destroy any case. To my knowledge, obstruction of justice charges can only be applied IF it can be proven that the person in question caused the damage.
Connecting a person to a crime is difficult and it's also a weak point in the system. Recently there was a kid in Europe that "hacked" an port harbor system in texas.(I can't remember all of the details..if someone can dig up the story..paste it here). In short, the kid got off because the prosecutors failed to link him to the use of the tools in question. The defense claimed that hackers compromised his system and used his computer a jump point. Whether this is true or not..we'll never know. Just like a regular crime..it must be proven without doubt. This is why the evidence collecting methods are imperative and why chain of evidence is so important.

How do you recover physically damaged disks... Well it takes money and someone that is damn good with an electron microscope. Typically the hard drive will be put in a clean lab, the covers will be removed and the platters will be removed as well. The platters are then placed under the scope and what is left of them is recovered by determining a 1 or 0. Very tedious..very difficult..VERY expensive.
The government deems something "unrecoverable" after the 5220 process but I don't think they trust it all that well. The air force has an even more rigorous procedure.

Having never recovered something from a physically damaged disk I don't know exactly how it's done.
the chain of evidence is what prevents things from being planted. never being alone with the evidence, documenting everything..

here's a little snippet from a website: G) Remember to document everything that goes on! Who did what, how, why, and at what time. Also, make sure that you have your designated custodian for the chain of custody initial each item after double-checking the list you have created AT THE SCENE. So, you have noted the configuration, the components, etc., and then the custodian of the evidence double checks your list and puts his/her initials next to yours while at the scene. It is imperative to do this checking at the scene so as to dispel the possibility of evidence tainting at a later date.

Decrypting encrypted files is a huge chore. This is partially where the volatile data collection comes in to play because the decryption key could potentially be resident in memory. Typically though, things like EFS have recovery keys, and using password crackers is always fun. If you have specific questions regarding decrypting encrypted files I, and others will try our best to answer them.

HTH

Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

The story...
"The Caffrey case suggests that even if no evidence of a computer break-in is unearthed on a suspect's PC, they might still be able to successfully claim that they were not responsible for what their computer does, or what is found on its hard drive."

The Trojan defence has been successfully used in the UK courts before.

heh, now here's another question. How can prodecutors get the info needed to get the evidence needed to know it was not a trojan? Like you said, that would be tough, but can data recovery tools see if the skiddot tools were there, or is that really circumstantial evidence than direct?

I think that's the problem the prosecution had. with something like this, you pretty much need to catch them in the act, or you have to hope there are logs of them saying they used it, or logs of them actually executing it. Most haxors like to brag about what they have done, and you might be able to find it in an email, or a chat log somewhere on the system. What you really have to try to do is build a case based on any piece of evidence you can find that is relevant to what you are trying to prove.

Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

In the middle of responding to your post by PM I thought I'd add in a little blurb here that might help some folks out. I went to Mrs |ce, who is in her final term at law school, for the answers to the legal issues raised in the first posting here. Her response was that she's quite sure the laws vary from state to state on most things, and to check a lawyer in your area for the specifics, but in general the following would apply. She also said that this is NOT legal advice and to consult a lawyer if you're in some sort of trouble, because she isn't one, only a student.

Now that the disclaimer is done, on with the answers:
1a. Obstruction of Justice is the minimal charge which could apply. More likely the accused would be charged with evidence tampering IF they could prove he destroyed it on his machine.

1b. Email can be traced back through the sender's isp to the specific ip address from which it was sent. This trace path along with the original message sent is enough to constitute sufficient evidence for arrest and prosecution. This particular law varies from state to state, but in Texas, the above is true. If you're not from Texas, or want to double check Mrs. |ce, please feel free to call your local DA's office.

2. We both collaborated on the answer to this one, from my techie point of view, and her legal point - here's our interpretation. Techie side - If I remember right, when a computer writes a file to disk, it's stamped with date/time. Even when the file is destroyed, this timestamp is included in the 'trashed' file which can be recovered. It is highly unlikely that a criminal would change the date/time on his machine to tamper with evidence, but it can be done if he thinks to do so. Such tampering can be detected however since there is a 'pattern' in which the computer writes its files to the drive. Although not necessarily in time ascending or descending order, the files are written to a disk in 'space available' and 'end of file' format - meaning it crams the files as tightly as possible in the sequence in which they're received. If a file is obviously out of synch with the others, it's most likely been written at a different time. Exception to this - defrag for efficient use, IF and only IF the files in question haven't yet been deleted, and are used often enough to be moved about on the disk. Again, tampering is possible, but the tamperer would have to be pretty sharp to think of doing this in the correct way. Legal side - evidence tampering is always difficult to prove unless the person is caught in the act of tampering, or the 'tampered' evidence is so deviant from the other evidence that it gets singled out.

Hope that all helped!

Even a broken watch is correct twice a day.

Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

The second one is arbitrary because email can be run through remailers that don't keep logs and it can be spoofed.

You are right about timestamps. They are called MAC times. MAC== modified, accessed, changed. If you are dealing with NTFS partitions then the information is all stored in the MFT. The MFT is a story for another day though.

Nice to know someone has access to a lawyer!

Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"